Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
VULNERABILITY ASSESSMENT
AND
PENETRATION TEST REPORT
FOR
AVINEON INDIA
FROM
Vulnerability Assessment And
AVINEON INDIA
Penetration Testing Report
CONTENTS
1 EXECUTIVE SUMMARY .....................................................................................................................5
3 APPENDIX .....................................................................................................................................42
DOCUMENT DETAILS
DOCUMENT VERSION CONTROL
Document Title External Vulnerability Assessment And Penetration Testing Report
Document Id NII//AVINEON//Oct15
Prepared By Shubham Jain
Reviewed By Vikash Tiwari
Approved By Jaideep Patil
Effective Date November 6, 2015
NOTICE
This document contains information which is the intellectual property of Network Intelligence (India) Pvt.
Ltd. (also called NII Consulting). This document is received in confidence and its contents cannot be
disclosed or copied without the prior written consent of NII Consulting.
Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. NII Consulting
disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness
for a particular purpose; merchantability; non infringement of intellectual property or other rights of any
third party or of NII Consulting; indemnity; and all others. The reader is advised that third parties can have
intellectual property rights that can be relevant to this document and the technologies discussed herein,
and is advised to seek the advice of competent legal counsel, without obligation of NII Consulting.
NII Consulting retains the right to make changes to this document at any time without notice. NII
Consulting makes no warranty for the use of this document and assumes no responsibility for any errors
that can appear in the document nor does it make a commitment to update the information contained
herein.
COPYRIGHT
Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved.
TRADEMARKS
Other product and corporate names may be trademarks of other companies and are used only for
explanation and to the owners' benefit, without intent to infringe.
1 EXECUTIVE SUMMARY
1.1 SUMMARY
AVINEON INDIA had assigned Network Intelligence (I) Pvt. Ltd. the task of carrying out an internal network
vulnerability assessment and penetration test activity on the given set of IP addresses, as included in the
scope of work.
1.2 OBJECTIVE
The purpose of the assessment was to determine and exploit security vulnerabilities in the given set of IP
addresses listed in the scope. The tests were carried out assuming the identity of an inside attacker or a
disgruntled employee with malicious intent. Due care was taken not to harm the servers as requested.
1.3 DURATION
This assessment was performed from 30th October – 4th November 2015. The detailed report about each
task and our findings are described below.
1.4 APPROACH
Develop strategy to
enhance security Perform scanning
posture
Document findings
& gather proof-of-
concepts at all the
stages
The scope of this assessment was limited to the IP addresses mentioned below:
Following table summarizes the list of findings discovered during the project:
10
6
5
4 HIGH
4 MEDIUM
3
2 LOW
0
HIGH
MEDIUM
LOW
This rating is reserved for system vulnerabilities that will result in serious impact to the organization.
Depending on the criticality of the system, risks of this magnitude could represent a financial impact or
damage customer and partner relationships.
HIGH
It is imperative that efforts be undertaken immediately to mitigate the vulnerabilities in this category. All
‘High’ severity levels are defined by the following examples:
MEDIUM
Medium threats are defined by some of the following examples:
Denial of Service
Unencrypted protocol access
Disclosure of server details
Application errors
LOW
Low threats are defined by some of the following examples:
Services enabled with a past history of security flaws
Limited exploit of read
Directory browsing
Information Disclosure
Old software
General security recommendations
OBSERVATION
These issues represent a very low level of security threat. These issues include minor information leakage,
unnecessary services or legacy protocols that provide no real threat to security.
Ease of exploitation refers to the complexity and effort required by an attacker to successfully exploit an
uncovered vulnerability during a penetration test. Facilities that accelerate the use of exploitation
comprise discoverability of the vulnerable element and the availability of free or easy-to-use tools to
exploit it. These factors provide a great leverage for an attacker to craft a targeted attack against an
information asset and hence increase the impact of the issue as it can be more easily exploited.
Based on these factors, the severity of ease of exploitation can be classified as Easy, Moderate or Difficult
defined as follows:
EASY
The ease of exploitation is stated as Easy, when there is a public exploit available and the exploitable
element is easily discoverable – i.e. without authentication. This exploit may require no or very little
modification to successfully compromise the target system. Absence of compensating controls makes the
ease of exploitation quite straightforward in this case.
MODERATE
The ease of exploitation is stated as Moderate, when the time required by an attacker is substantially
more and he has very little or restricted access rights to the targeted resource. The exploits (if available),
has to be customized considerably in order for successful infiltration. This poses a significant challenge for
an attacker. Presence of compensating controls requires innovative ways to be subverted or bypassed
cleverly for the successful exploitation.
DIFFICULT
The ease of exploitation is stated as Difficult, when the resources required to exploit the vulnerability are
very high. Most likely, there is no publicly available exploit and the vulnerable element is accessible only
after authentication. Also, additional compensating controls such as a WAF or reduced access rights make
exploitation even more difficult. To subvert them, the attacker needs to fully utilize his skills; requiring
dedicated time for planning and execution, thereby making the exploitation very challenging and difficult.
2 TECHNICAL REPORT
2.1 NETWORK SECURITY TESTING
EA SE O F EXP LO IT A T IO N
EASY
A F F E C T E D IP
175.101.4.233:25[TCP]
175.101.4.234:25[TCP]
ANALYSIS
During the analysis it was observed that remote host was vulnerable to open relay attack. Please see the
below screenshots:
IMP A CT
An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to
send e-mail through it, not just mail destined to or originating from known users.
RECOMMENDATION
Follow the steps provided by Kerio Support to properly configure and mitigate this vulnerability, please
see the provided reference below
REFER ENCE
CVE-1999-0512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0512
EA SE O F EXP LO IT A T IO N
MODERATE
A F F E C T E D IP
175.101.4.226:23[TCP]
ANALYSIS
It was observed during the analysis that Telnet server transmits traffic in clear text.
FIG U R E 2 : U N EN C R YP T ED T EL N ET S ER V ER
F I G U R E 3 : T EL N ET C R ED E N T I A LS IN W I R ES H A RK
IMP A CT
Using Telnet over an unencrypted channel is not recommended as logins, passwords, and commands are
transferred in clear text. This allows a remote, man-in-the-middle attacker to eavesdrop on a Telnet
session to obtain credentials or other sensitive information and to modify traffic exchanged between a
client and server.
RECOMMENDATION
We strongly suggest, either implement encryption or disable the Telnet service and use SSH’s latest
version i.e. SSH version 2 instead.
REFER ENCE
Implementing Encryption in Telnet
http://www.cs.cmu.edu/~droh/755/encr_telnet.html
EA SE O F EXP LO IT A T IO N
DIFFICULT
A F F E C T E D IP
175.101.4.236
175.101.4.245
ANALYSIS
During analysis, we identified that the remote host appears was running Microsoft Windows Server 2003.
Support for this operating system by Microsoft ended July 14th, 2015.
F I G U R E 4 : W I N D O W S S E R V E R 2003
IMP A CT
Lack of support implies that no new security patches for the product will be released by the vendor. As a
result, it is likely to contain security vulnerabilities. Furthermore, Microsoft is unlikely to investigate or
acknowledge reports of vulnerabilities.
RECOMMENDATION
It is highly recommended that latest vendor supported OS such as Windows Server 2008 or Windows
Server 2012 should be deployed.
REFER ENCE
Microsoft’s Official Announcement
https://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/
https://www.microsoft.com/en-in/download/details.aspx?id=5023
EA SE O F EXP LO IT A T IO N
DIFFICULT
A F F E C T E D IP
175.101.4.231:80[TCP]
175.101.4.232:80[TCP]
175.101.4.239:80[TCP]
175.101.4.244:80[TCP]
175.101.4.245:80[TCP]
ANALYSIS
During analysis, we identified that the remote host was running Microsoft IIS 6.0 and 7.5. which are the
older versions and are vulnerable to significant level severity.
F I G U R E 5 :I I S V E R S I O N 7.5
IMP A CT
The older versions of IIS i.e. version 6.0 and 7.5 are vulnerable to high severity security flaws such as
Denial of Service, Buffer Overflow and etc.
RECOMMENDATION
It is highly recommended that IIS version 8.5 or the latest version i.e. 10 should be deployed.
REFER ENCE
Microsoft IIS 6.0 vulnerabilities
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3436/version_id-
13492/Microsoft-IIS-6.0.html
Microsoft IIS 10
http://www.iis.net/learn/get-started/whats-new-in-iis-10
https://www.microsoft.com/en-us/download/details.aspx?id=48264
EA SE O F EXP LO IT A T IO N
MODERATE
A F F E C T E D IP
175.101.4.233:110[TCP]
ANALYSIS
During analysis, we found that POP version 3 was running on port 110. which allowed credentials to be
transmitted in clear text.
FIG U R E 6 : CR ED EN T IA LS EN T ER ED
F I G U R E 7 : U S E R N A M E C A P T U R ED I N C L EA R T EX T IN W I R ES H A RK
F I G U R E 8 : P A S S W O RD C A P T U R E D I N C L E A R T E X T IN W I R E S H A R K
IMP A CT
An attacker may eavesdrop on the communication and obtain sensitive information, which may include
the credentials used for POP3 communications.
RECOMMENDATION
It is strongly suggested that encrypt POP3 traffic with SSL / TLS using stunnel.
REFER ENCE
Threats from using clear-text protocols internally
https://www.solutionary.com/resource-center/blog/2010/11/clear-text-is-fineits-internal/
Securing Kerio
http://kb.kerio.com/product/kerio-connect/server-configuration/security/securing-kerio-connect-
1239.html
EA SE O F EXP LO IT A T IO N
DIFFICULT
A F F E C T E D IP
SSLv3 POODLE Vulnerability:
175.101.4.226:443[TCP]
175.101.4.227:443[TCP]
175.101.4.246:443[TCP]
175.101.4.247:443[TCP]
ANALYSIS
SSLv3 POODLE Vulnerability:
During analysis, we determined that the remote servers supportedSSLv2 and/or SSLv3 with at least one
CBC cipher suite, indicating that this server was vulnerable.
Additionally, it appeared that TLSv1 or newer was supported on the servers. However, the Fallback SCSV
mechanism was not supported which allowed connections to be "rolled back" to SSLv3.
F I G U R E 9 : S H O W S S E R V E R V U L N E R A B L E T O P OO DLE
F I G U R E 10 :S H O W S S E R V E R I S V U L N E R A B L E T O TLS P O O D L E
IMP A CT
SSLv3 POODLE Vulnerability:
A MiTM [Man-in-the-Middle] attacker can decrypt a selected byte of a cipher text in as few as 256 tries if
they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0
connections.
RECOMMENDATION
SSLv3 POODLE Vulnerability:
Following are the recommendations:
1. Disable SSLv3 on the system and use TLS version 1.2
2. Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can
be disabled.
REFER ENCE
POODLE Attacks on SSLv3
https://www.imperialviolet.org/2014/10/14/poodle.html
CVE-2014-3566
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
Steps to enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
EA SE O F EXP LO IT A T IO N
DIFFICULT
A F F E C T E D IP
175.101.4.226:443[TCP]
ANALYSIS
During the analysis it was observed that the host was vulnerable to CCS Injection vulnerability.
F I G U R E 11 : S H O W S CCS I N J E C T I O N
IMP A CT
This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while
forcing SSL clients to use weak keys which are exposed to the malicious nodes. Because both of servers
and clients are affected by this vulnerability
RECOMMENDATION
OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users
(client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should
upgrade to 1.0.1h. Please refer to the link provided in the reference.
REFER ENCE
CVE-2014-0224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
EA SE O F EXP LO IT A T IO N
DIFFICULT
A F F E C T E D IP
SSL RC4 Cipher Suites Supported:
175.101.4.246:443[TCP]
175.101.4.247:443[TCP]
ANALYSIS
SSL RC4 Cipher Suites Supported
During analysis we identified that the remote hosts supported the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of
small biases are introduced into the stream, decreasing its randomness.
F I G U R E 12 : SSL R C4 C I P H E R S U I T E S U P P O R T E D
F I G U R E 13 : SSL S E L F S I G N E D C E R T I F I C A T E
F I G U R E 14 :S S L C E R T I F I C A T E S I G N E D W I T H W E A K H A S H I N G A L G O R I T H M
F I G U R E 15 : C L I E N T I N I T I A T E D R E N E G O T I A T I O N
F I G U R E 16 : SSL V E R S I O N 3
F I G U R E 17 : SSL V E R S I O N 2
IMP A CT
SSL RC4 Cipher Suites Supported
If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens
of millions) cipher-texts, the attacker may be able to derive the plaintext.
RECOMMENDATION
SSL RC4 Cipher Suites Supported
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with
AES-GCM suites subject to browser and web server support.
REFER ENCE
Attacking SSL when using RC4
http://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf
EA SE O F EXP LO IT A T IO N
DIFFICULT
A F F E C T E D IP
175.101.4.245:80 [TCP]
ANALYSIS
During analysis, we were able to identify IP addresses disclosed while enumerating port 80. This might be
an internal IP address, as reflected below in screenshot,
F I G U R E 18 : I N T E R N A L IP A D D R E S S D I S C L O S E D
IMP A CT
Based on the revealed IP address an attacker can map out the internal IP address schema and spoof an IP
address in the same range to avoid detection.
RECOMMENDATION
Prevent this information from being displayed to the user.
2.1.10 INTERNET KEY EXCHANGE (IKE) AGGRESSIVE MODE WITH PRE-SHARED KEY
SEV ERITY
LOW
EA SE O F EXP LO IT A T IO N
DIFFICULT
A F F E C T E D IP
175.101.4.227:500[UDP]
ANALYSIS
It was observed that the Internet Key Exchange (IKE) version 1 service seems to support Aggressive Mode
with Pre-Shared key (PSK) authentication.
F I G U R E 19 : A G G R E S S I V E M O D E E N A B L ED
IMP A CT
When a VPN is configured to use a pre-shared master secret and a client attempts to negotiate keys in
aggressive mode, a hash of the secret is transmitted across the network in clear-text. This may result in
the hash being leaked to eavesdroppers or malicious clients. An offline brute-force attack on this hash may
then be performed to obtain the clear-text secret.
RECOMMENDATION
Below are some recommendations:
Disable Aggressive Mode.
Do not use Pre-Shared key for authentication if it's possible.
If using Pre-Shared key cannot be avoided, use very strong keys.
REFER ENCE
Paper on IKE Aggressive Scan
http://www.giac.org/paper/gcih/541/vpn-aggressive-mode-pre-shared-key-brute-force-attack/104625
EA SE O F EXP LO IT A T IO N
DIFFICULT
A F F E C T E D IP
175.101.4.231:80[TCP]
175.101.4.232:80[TCP]
175.101.4.239:80[TCP]
175.101.4.243:80[TCP]
175.101.4.244:80[TCP]
175.101.4.245:80[TCP]
175.101.4.248:80[TCP]
ANALYSIS
During analysis it was found that the web servers discloses ASP.NET and Microsoft IIS versions as the
response to server request. ASP.NET version 2.0 & 4.0, Microsoft IIS Server version 6.0, 7.5 and 8.5 were
disclosed. Please see the below screenshot,
F I G U R E 20 : V E R S I O N D I S C L O S U R E
IMP A CT
Information disclosure in HTTP Response Header and Error Messages reveals sensitive data, such as
technical details of the web server, environment, or user-specific data.
Sensitive data may be used by an attacker to exploit the target web application, its hosting network, or its
users. This helps an attacker to launch target specific attacks.
RECOMMENDATION
To Fix IIS version information
1) Download URLScan Security Tool from the link mentioned in the reference below. Install it
thereafter.
2) Stop the IISAdmin service.
3) Navigate to ‘Urlscan’ folder (default location: %systemroot%\System32\Inetsrv\Urlscan)
4) Open the Urlscan.ini file in Notepad or WordPad.
5) Locate & modify the entry “RemoveServerHeader=0” to “RemoveServerHeader=1”.
6) Save this file.
7) Start the IISAdmin service
<System.Web>
<httpRuntime enableVersionHeader="false" />
</System.Web>
REFER ENCE
Download URLScan from
http://www.iis.net/download/urlscan
For this engagement, the list of IP addresses mentioned in the scope were scanned. The attached files
which are sent along with the report contain the port scanning results for this test.
The listed ports which appear to be open on the server are displayed in the HTML file, alongside the port
number, service that usually runs on those ports as well as the banner displayed by the service.
Please refer to the attached HTML file for port scanning results.
3 APPENDIX
Type of Penetration Description
Testing Approach
Here, we only know the URL of the website. Enumeration of technologies, mapping of
the website, identification of fault injection points, determining input validation
Black Box Approach
vulnerabilities, or logical security vulnerabilities, and the OWASP top 10 attacks are all
part of this exercise.
Often enough, a web application involves authentication and authorization components.
In order to be able to test these, we request for a dummy user account with the least
Grey Box Approach level of privileges within the application. Using this account, we are able to log in and
test for various flaws in the authentication scheme, as well as attempt to escalate our
privileges and bypass authorization restrictions.
Isa Penetration Test technique in which a list of telephone numbers are called to search
War Dialing for computers, systems and fax machines. The purpose is to gain as much as business
critical data as possible with the help of this technique.
Wireless hacking is done to gather all loopholes possible in an organization’s wireless
Wireless Hacking infrastructure. This is done with an intention to gain unauthorized access and to try and
exploit as much as resources available.
Controls can be put on systems and devices but same does not hold true for the objects
using these systems (employees/temporaries). Social Engineering is the method by
which all the hackers try and get the confidential and business critical information by
Social Engineering
using various techniques. This test focuses on exploiting and finding out all the possible
loopholes pertaining to this domain so that your organization is geared up to face social
engineering attacks in real life.
War driving can be carried to test the range and strength of your organization’s wireless
War Driving network’s signal. This will help to gauge the extent of the threat exposure area for your
organization.
Traditional Penetration Testing approach only focuses on the technical vulnerabilities.
But Business Risk based approach not only focuses on the technical vulnerabilities but
also on the risks presumed to the business of AVINEON INDIA. First, test cases pertaining
Business Risk Based
to the business threat model are developed and Penetration test is carried out focusing
Approach
majorly on the cases. This method has many advantages over the traditional Penetration
Test methodology. And one of the biggest advantages it has is that of being business
focused.
Source code review focuses on detecting the vulnerabilities early in the Software
Development Life Cycle (SDLC) such as Dataflow attacks, Cross Site Scripting (XSS),
Source Code Review Injection (SQL, File, XPATH, reflection, etc.), File Inclusion/execution and Information
Leakage. This methodology will help AVINEON INDIA to close the loopholes during the
development and testing phase.
Many organizations secure their organization from outside threats but leave their
internal network security comparatively weak. And it has been proved over and over
Internal Penetration
again that the organization’s security was compromised from within the network.
Testing
Internal Penetration Test focuses on identifying these loopholes and recommending
solutions to make the internal network secure to thwart internal threats and attacks.
Vulnerability Assessment is the process of identifying, quantifying, and prioritizing the
Vulnerability Assessment
vulnerabilities of the components of IT infrastructure.